Security Advisory

ZF2010-02: Potential XSS vector in Zend_Dojo_View_Helper_Editor

Executive Summary

Zend_Dojo_View_Helper_Editor was incorrectly decorating a TEXTAREA
instead of a DIV. The Dojo team has reported that this has security
implications as the rich text editor they use is unable to escape
content for a TEXTAREA.

Action Taken

The primary rationale in Zend Framework for using a TEXTAREA
with the Editor Dijit was to allow for graceful degradation in browser
environments that do not support JavaScript. The component has been reworked
such that we now decorate an HTML DIV, and provide a separate TEXTAREA
within a NOSCRIPT tag for purposes of graceful degradation; content is
escaped in the latter TEXTAREA.

Recommendations

If you use Zend_Dojo_View_Helper_Editor, it is strongly
recommended that you upgrade to either the latest available
Zend Framework release, or one of the following releases, immediately:

1.9.7

1.8.5

1.7.9

Other Information

Acknowledgments

The Zend Framework team thanks the following for working with us to help
protect its users:

Pádraic Brady, who made the initial report and who worked with our
team to ensure that the appropriate actions were taken

Reporting Potential Security Issues

If you have encountered a potential security vulnerability in Zend
Framework, please report it to us at zf-security@zend.com. We will
work with you to verify the vulnerability and patch it.

When reporting issues, please provide the following information:

Component(s) affected

A description indicating how to reproduce the issue

A summary of the security vulnerability and impact

We request that you contact us via the email address above and give the
project contributors a chance to resolve the vulnerability and issue a new
release prior to any public exposure; this helps protect Zend Framework
users and provides them with a chance to upgrade and/or update in order to
protect their applications.

Policy

We will patch the current release branch, as well as the immediate prior
minor release branch.

After patching the release branches, we will immediately issue new
security fix releases for each patched release branch.

A security advisory will be released on the Zend Framework site
detailing the vulnerability, as well as recommendations for end-users to
protect themselves. Security advisories will be listed at http://framework.zend.com/security/advisories, as well as
via a feed (which is also present in the
website head for easy feed discovery)